<?php

ob_start();
include('db.php'); //includes user, db, host, pass  
$tbl_name="Users"; // Table name **needs to be edited with the name of the table containing our usernames and passwords

// Connect to server and select databse.
mysql_connect($HOST, $USER, $PASS)or die("cannot connect"); 
mysql_select_db("$DB")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['Login']; 
$mypassword=md5($_POST['password']); 
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE login='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
    session_start();
    $_SESSION["lastActive"] = time();
    $_SESSION["Username"] = $myusername;
    while($row = mysql_fetch_array($result)){
        if($row['manager']){
            $_SESSION["manager"] = true;
            header("location:manager.php");
        }
        elseif($row['admin']){
            $_SESSION["admin"] = true;
            header("location:admin_approve_users.php");
        }
        else{
            header("location:order.php");
        }
    } 
}
else {
    echo 'alert("Wrong Username or Password")';
    header("location:login.php");
}
ob_end_flush();
?>
